Started this before change to "New Blogger", as backup in case of trouble with digiphoto blog "In a Small Dark Room", or rants & links blog "Hello Cruel World" . Useful - at one stage Dark Room was there, but like the astrophysical Dark Matter, we could't see it ... better now, but kept Just In Case.

There is nothing. There is no God and no universe, there is only empty
space, and in it a lost and homeless and wandering and companionless
and indestructible Thought. And I am that thought. And God, and the
Universe, and Time, and Life, and Death, and Joy and Sorrow and Pain
only a grotesque and brutal dream, evolved from the frantic imagination
of that same Thought.
Mark Twain (letter to Joseph Twichell after his wife's death)
[me, on a bad day]
WRITER'S LINKS
Absolute Write Paypal donation button:
Absolute Write is one of the leading sites for information on writing and publishing, especially the scam versions thereof.
It has a broad, deep online community with an enormous message base going back years. Now it needs help.
See the details and discussion herePreditors and EditorsEverything you wanted to know about literary agentsOn the getting of agentsWriter BewareMiss SnarkWriter's Net (and my Wish List)

2003-08-31

Might be useful - some anti-worm instructions

W32/Blaster-A disinfection instructions and FAQ
At the time of writing, W32/Blaster-A </virusinfo/analyses/w32blastera.html>
(also known as: W32/Lovsan.worm, W32.Blaster.Worm, WORM_MSBLAST.A) is
spreading in the wild. W32/Blaster-A is a worm that scans networks looking
for computers vulnerable to Microsoft's DCOM RPC security exploit. On
finding a suitable victim the worm causes the remote machine to acquire a
copy of the worm using TFTP, which is saved as msblast.exe in the Windows
system folder.
1. How do I prevent W32/Blaster-A spreading on my network?
2. How do I remove W32/Blaster-A automatically?
3. How do I remove W32/Blaster-A manually?
4. Which systems are affected?
5. How did my computer become infected?
6. Background technical information
7. Where should I put the W32/Blaster-A virus identity (IDE) file?
8. My computer is continuously rebooting, how can I download RESOLVE?
1. How do I prevent W32/Blaster-A spreading on my network?
Network administrators are strongly advised to perform the following
operations to limit the impact of the worm
* Download and deploy Microsoft patch MS03-026
W32/Blaster-A exploits a vulnerability that can be patched. To read more
about the vulnerability and download the patch for deployment, go here
www.microsoft.com/security/security_bulletins/ms03-026.asp. On
standalone computers, update with all relevant security patches from Windows
update www.windowsupdate.com.
Administrators are advised to deploy the patch to internet enabled
workstations and internal company networks, paying particular attention to
proxy/gateway computers.
* Rename tftp.exe
The worm utilises tftp.exe, a Windows native program. If tftp.exe exists on
your network, and you have no business need for it, rename it (e.g. to
tftp-exe.old). You should not delete it as future legitimate software may
require it.
* Block traffic to certain ports on your firewall
Administrators should block incoming traffic on the following ports:
* tcp/69 (used by the TFTP process)
* tcp/135 (used by RPC remote access)
* tcp/4444 (used by this worm to connect)
This should primarily be implemented on your internet
firewall. Where appropriate, you should also block access to these ports to
prevent access from potentially infected non-trusted networks.
<>
2. How do I remove W32/Blaster-A automatically?
W32/Blaster-A can be removed from Windows 95/98/Me/NT/2000/XP computers
automatically with RESOLVE
* download the RESOLVE W32/Blaster-A self-extractor
www.sophos.com/misc/blastsfx.exe and double-click it (the contents
will extract to C:\SOPHTEMP)
* select Start|Run then type cmd (on Windows 95/98/Me type command) to
open a command prompt
* click OK
* to remove the worm non-interactively type
C:\SOPHTEMP\RESOLVE.COM -DF=BLASTERA.DAT -NOC
and press the Enter key
* .
The above process will remove the infected file from memory, clean the
registry and remove the infected file from the system.
After removing the worm you should install the patch mentioned above.
You can find detailed instructions on running RESOLVE in the notes enclosed
in the self-extractor.
To remove W32/Blaster-A on other platforms please follow the instructions
for removing worms. >/support/disinfection/worms.html<
<>
3. How do I remove W32/Blaster-A manually?
To remove W32/Blaster-A manually on Windows 95/98/Me and Windows NT/2000/XP
* ensure you have installed Microsoft patch MS03-026
http://www.microsoft.com/security/security_bulletins/ms03-026.asp and
implemented as many of the steps mentioned above as is feasible.
* press Ctrl+Alt+Del
* in Windows NT/2000/XP click Task Manager and select the Processes
tab
* look for a process named msblast.exe in the list
* click the process to highlight it
* click the 'End Process' (in Windows 95/98/Me 'End Task') button
* close Task Manager.
In Windows NT/2000/XP you will also need to edit the following registry
entry. The removal of this entry is optional in Windows 95/98/Me. Please
read the warning about editing the registry </support/faqs/tpti.html>.
* At the taskbar, click Start|Run. Type 'Regedit' and press Return.
The registry editor opens.
* Before you edit the registry, you should make a backup
</support/faqs/tpti.html>. If in doubt, contact your network administrator.
Incorrect editing of the Windows Registry can cause system failure.
* Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
in the righthand pane select
windows auto update = msblast.exe
and delete it if it exists.
* Close the registry editor.
You should reboot your computer and repeat the above process to ensure all
traces of the worm have been removed from your system.
If you have any problems removing W32/Blaster-A after following these
instructions, please contact technical support >/support/queries/<.
To remove W32/Blaster-A on other platforms please follow the instructions
for removing worms. >/support/disinfection/worms.html<
<>
4. Which systems are affected?
* Windows 95/98/Me and Windows NT/2000/XP are potentially affected
* Apple-based workstations, Unix and other platforms (including PDAs
and games consoles) cannot be infected with W32/Blaster-A
If a W32/Blaster-A file is found on a computer, it has been dropped there by
an infected computer, or it has been executed locally.
<>
5. How did my computer become infected?
W32/Blaster-A scans the internet and local networks looking for computers
vulnerable to Microsoft's DCOM RPC security exploit
http://www.microsoft.com/security/security_bulletins/ms03-026.asp. When it
finds one it causes the remote computer to use TFTP to download a copy of
the worm. This is saved as msblast.exe in the Windows system folder and the
registry on that computer is changed so that the worm will be run when the
computer restarts.
<<...OLE_Obj...>>
6. Background technical information
The TFTP (Trivial File Transfer Protocol) process uses port 69 by default.
Blocking access to this port will prevent outgoing TFTP requests. RPC
(Remote Procedure Calls) packets normally connect on port 135, preventing
access to this port will stop infected machines requesting connections.
Computers infected with W32/Blaster-A will attempt to connect to port 4444
and send a command to initiate the transfer of msblast.exe and start it.
Blocking access to this port will prevent the attacking machine connecting to the victim computer.
<<...OLE_Obj...>>
7. Where should I put the W32/Blaster-A virus identity (IDE) file?
If you have a single computer:
* Windows NT/2000/XP -> C:\Program files\Sophos SWEEP for NT
* Windows 95/98/Me -> C:\Program files\Sophos SWEEP
then reboot the computer.
If you are maintaining a network, see How to use virus identity (IDE) files
</support/faqs/usingides.html<.
<<...OLE_Obj...>>
8. My computer is continuously rebooting, how can I download RESOLVE?
Often when a computer is infected with W32/Blaster-A it restarts every few
minutes, usually with a message similar to "Windows must now restart because
the Remote Procedure Call (RPC) Terminated Unexpectedly". This prevents the
required patches and files from being downloaded.
On Windows XP you may be able to prevent the computer from rebooting by
turning on the inbuilt firewall.
To do this:
* go to Network Connections,
* click on your internet connection (LAN or dial-up),
* on the lefthand window click 'Change settings of this connection',
* click Advanced,
* click 'Protect my computer.....',
* you will probably then be able to download the files you need.
Where possible, download the RESOLVE W32/Blaster-A self-extractor </misc/blastsfx.exe< on another computer. Save it to floppy disk and run the self-extractor on the affected computer.
If you cannot download on another computer, disable Distributed COM to prevent this rebooting.
Windows XP
* Select Start|Run and type
dcomcnfg.exe.
* Select Console Root|Component services.
* Open the Computers subfolder.
* Right-click on My Computer|Properties.
* Click the Default Properties tab.
* Deselect 'Enable distributed COM', click Apply then click OK.
* Restart the computer.
Set the options back to normal after applying relevant patches and IDEs.
Windows NT/2000
* Select Start|Run and type
dcomcnfg.exe.
* Select the Default Properties tab.
* Deselect 'Enable distributed COM on this computer', click Apply then
click OK.
* Restart the computer.i
Set the options back to normal after applying relevant patches and IDEs.
Windows 95/98/Me
Clean boot or go into DOS Mode (Windows 95/98) and use SWEEP with the W32/Blaster-A IDE to disinfect.
Use a firewall or disable 'File and print sharing' to protect the computer from further infection.